MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed844cfae2c80b291651f15b71e1c0608612446513cb527a5753bfa831a2e348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	ed844cfae2c80b291651f15b71e1c0608612446513cb527a5753bfa831a2e348
SHA3-384 hash:	061e5c3f0fda282dafaf5f8c706756bb7f9b8b2d709e7b593ebbc3c873d83b05318005f73b1a84654d5e42796a74dd14
SHA1 hash:	7a8ab3085e82f51a1bfe23ac7ef84514e7ebc983
MD5 hash:	9a08b5eac4b3431a78f512eba4be58a2
humanhash:	sweet-texas-finch-comet
File name:	e-dekont-html_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	858'624 bytes
First seen:	2022-02-07 08:04:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:B9Rha4x67Pk+PLOYrMoB8dvY1KCYjCD7UcDe0pyET9jm1gYZPbuPNzS/GTy/Hu3k:Daqgs+zOykdgTYjYeczjWZPb0
Threatray	15'022 similar samples on MalwareBazaar
TLSH	T1FB05D0AC7151B4EED81BC932EA683C60A63130B787CBD2039127169C9E5DA5BEF105F7
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

abuse_ch

AgentTesla SMTP exfil server:
mail.generalpakistan.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/234110/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6200d2b6accdde96b5e4526e/reports/8ffdcc94-28bf-48a3-8a93-925322a58117/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72d5c555-ddb5-4eaf-947e-156eb50fb721

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934954

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ed844cfae2c80b291651f15b71e1c0608612446513cb527a5753bfa831a2e348/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-07 07:19:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5wcez6xczafssfsr6fnxdyoamcdberdfcpfve6sxko72qmnc4nea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

708cf8c498731e0e0f42cf670fbdf0eb157657a2bdb84a7285742d0492f5592b

AgentTesla

8a5bc3c75311f008ef8790b86807f8ba141ffe0c159badc3db9df7b930ed0a1d

AgentTesla

a8806fb0c2c11dc35e0ba4295006382b34a2ecceee578acb9c949d622c359fc9

AgentTesla

acd30587225c95ccfdadc1e18152c01911c0ee78486c921034a6e5de12ce7376

AgentTesla

cb035e338380a49134435b0ab683122c80fdaad11f981b32f71cfb4ae8e14243

AgentTesla

e66fa2702c441976b520fadae630706672aea1b0ef3462fdb70a9f80265e91de

AgentTesla

f802635a50acc853156062812ce022dae2edb9d95c0bcd1be1e572d0c510c3f8

AgentTesla

fafe3c7c1660f4baadeaedff9ae0ca32e57407b991f01e5a965e8e19f6c133b1

AgentTesla

fcc68f21fb2df47f48e34831cc05fea67410ce80f4e249fa73e04053069b4638

AgentTesla

+ 15'012 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220207-jyv2bshfh6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

8904caa8f71fecf71d2ed5d9c8813791c3e8e5d3e1bf2fffdb7c01ae68a6d9e7

MD5 hash:

f6bdd748d9c5644dde0b1014bc6e9c20

SHA1 hash:

88d2fe16c92029fe0bb04e6e4e29130dc5a125ee

Link:

https://www.unpac.me/results/597cfd7c-2664-48fd-b803-c52ffaa88670/

SH256 hash:

0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9

MD5 hash:

263b5190f7ac42d83c756dcdf38147bb

SHA1 hash:

78f419fe3936ed7d603706c47230cd3e6ff79ffe

Link:

https://www.unpac.me/results/597cfd7c-2664-48fd-b803-c52ffaa88670/

SH256 hash:

a9e02adfacc980f10f1a04de51e1ccc19a8674af4a1e1e2fb26c7aa78de209c9

MD5 hash:

e2be53c3bb05ebacc36c2f93b2ef0d6c

SHA1 hash:

34d961ef74ff30fce779104f5d40f588a3080ddf

Link:

https://www.unpac.me/results/597cfd7c-2664-48fd-b803-c52ffaa88670/

SH256 hash:

ed844cfae2c80b291651f15b71e1c0608612446513cb527a5753bfa831a2e348

MD5 hash:

9a08b5eac4b3431a78f512eba4be58a2

SHA1 hash:

7a8ab3085e82f51a1bfe23ac7ef84514e7ebc983

Link:

https://www.unpac.me/results/597cfd7c-2664-48fd-b803-c52ffaa88670/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ed844cfae2c8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/234110/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample